Example Bank’s Existing Architecture

Example Bank’s infrastructure includes a Windows NT domain (EXBANK), an Active Directory domain (eb.com)
with two domain controllers, and a two-way MMR Sun Java System Directory Server (dc=eb,dc=com) deployment.
Example Bank has two main sites: one located in New York City and one in Los
Angeles.

The following figure describes Example Bank’s deployment of its directory
resources.

Figure 2–1 Example Bank Architecture

Directory Server Information

Sun Java System Directory Server is the corporate directory server
that is used to control access to all web-based applications. Pluggable Authentication Module (PAM) for LDAP authenticates and manages passwords on the SolarisTM Operating System
(Solaris OS) against Directory Server passwords. The two preferred Directory
Servers manage a single root suffix, dc=eb,dc=com, and
all users are stored in the ou=people,dc=eb,dc=com container
with uid as the naming attribute. The directory servers,
installed on Solaris systems, are running on separate machines: master-east.eb.com and master-west.eb.com.

Windows NT Information

The single Windows NT domain is called EXBANK. The Primary Domain Controller (PDC) runs on
a pdc-east.eb.com machine in New York City. A backup domain
controller (bdc-west.eb.com) runs on a machine located
in Los Angles. All Windows NT user accounts have a Directory Server account
with the exception of the built-in Windows NT accounts. The Windows NT USER_NAME attribute is the same as the Directory Server uid attribute.

Active Directory Information

The Active Directory deployment has a single domain, eb.com,
with two domain controllers:

ad-east.eb.com (in New York City)

ad-west.eb.com (in Los Angeles)

In this deployment, ad-west.eb.com is the PDC Flexible
Single-Master Operation (FSMO) role owner.

Users are stored in two separate organizations corresponding to the
two sites:

ou=east,dc=example,dc=com

ou=west,dc=example,dc=com

Example Bank is in the process of migrating users
from Windows NT to Active Directory. Each employee has a Windows NT or Active
Directory account. The migration of the users is based (in phases) on the
employees’ last names. Every week Example Bank moves users whose last
name begins with the next letter of the alphabet. Currently, the company has
migrated employees whose last names begin with letters A through F.

For users who have Directory Server accounts, the Active Directory samaccountname attribute stores the uid. When
a user account is migrated from Windows NT, the user keeps the same login.
That is, the Active Directory samaccountname attribute
of the new user is the same as the Windows NT USER_NAME attribute.